Package eu.europa.esig.dss.spi.validation

Class RevocationDataVerifier

java.lang.Object

eu.europa.esig.dss.spi.validation.RevocationDataVerifier

public class RevocationDataVerifier
extends Object

This class is used to verify acceptance of a revocation data for the following validation process, whether the revocation data has been extracted from a document or obtained from an online source. The class verifies the consistency of the given revocation information and applicability of the used cryptographic constraints used to create this token. NOTE: It is not recommended to use a single instance of RevocationDataVerifier within different CertificateVerifiers, as it may lead to concurrency issues during the execution in multi-threaded environments. Please use a new RevocationDataVerifier per each CertificateVerifier.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	RevocationDataVerifier()	Default constructor

Method Summary

Modifier and Type	Method	Description
static RevocationDataVerifier	createDefaultRevocationDataVerifier()	This method is used to instantiate a new RevocationDataVerifier, using the default validation constraints (synchronized with default validation policy).
static RevocationDataVerifier	createEmptyRevocationDataVerifier()	Creates an empty instance of RevocationDataVerifier.
CertificateSource	getTrustedCertificateSource()	Gets trusted certificate source, when present
boolean	isAcceptable(RevocationToken<?> revocationToken)	This method verifies the validity of the given RevocationToken using the embedded issuer certificate token
boolean	isAcceptable(RevocationToken<?> revocationToken, CertificateToken issuerCertificateToken)	This method verifies the validity of the given RevocationToken
boolean	isRevocationDataAfterLastCertificateUsage(RevocationToken<?> revocationToken, Date lastCertificateUsage)	This method verifies if the revocation data is after the last usage of the certificate.
boolean	isRevocationDataFresh(RevocationToken<?> revocationToken, Date validationTime, Context context)	This method verifies if the revocationToken considered within context is fresh enough relatively to the given validationTime
boolean	isRevocationDataSkip(CertificateToken certificateToken)	Checks and returns whether the revocation check shall be skipped for the given certificate
protected boolean	isRevocationThisUpdateAfterValidationTime(RevocationToken<?> revocationToken, Date validationTime, long maximumRevocationFreshness)	This method verifies whether the revocation's thisUpdate time is after the validationTime minus the acceptable maximumRevocationFreshness
protected boolean	isRevocationThisUpdateAfterValidationTimeNullConstraint(RevocationToken<?> revocationToken, Date validationTime)	This method verifies whether the revocation's thisUpdate time is after the validationTime minus the difference between nextUpdate and thisUpdate field values
void	setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> acceptableDigestAlgorithms)	Sets a collection of Digest Algorithms for acceptance.
void	setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm,Integer> acceptableEncryptionAlgorithmKeyLength)	Sets a map of acceptable Encryption Algorithms and their corresponding minimal key length values.
void	setCheckRevocationFreshnessNextUpdate(boolean checkRevocationFreshnessNextUpdate)	Sets whether the difference between revocation's nextUpdate and thisUpdate fields shall be taken as a maximum acceptable revocation freshness in case no maximum revocation freshness constraint is defined for the given context Default : FALSE (no revocation freshness check is performed when maximum revocation freshness is not defined)
void	setRevocationMaximumRevocationFreshness(Long revocationMaximumRevocationFreshness)	Sets maximum accepted freshness for revocation data issued for revocation data's certificate chain certificates (CRL or OCSP).
void	setRevocationSkipCertificateExtensions(Collection<String> revocationSkipCertificateExtensions)	Sets a collection of certificate extension OIDs indicating the revocation check shall be skipped for the given certificate Default : valassured-ST-certs (OID: "0.4.0.194121.2.1") and ocsp_noCheck (OID: "1.3.6.1.5.5.7.48.1.5") (extracted from validation policy)
void	setRevocationSkipCertificatePolicies(Collection<String> revocationSkipCertificatePolicies)	Sets a collection of certificate policy OIDs indicating the revocation check shall be skipped for the given certificate Default : empty list (extracted from validation policy)
void	setSignatureMaximumRevocationFreshness(Long signatureMaximumRevocationFreshness)	Sets maximum accepted freshness for revocation data issued for signature's certificate chain certificates.
void	setTimestampMaximumRevocationFreshness(Long timestampMaximumRevocationFreshness)	Sets maximum accepted freshness for revocation data issued for time-stamp's certificate chain certificates.
protected void	setTrustedCertificateSource(CertificateSource trustedCertificateSource)	Sets a trusted certificate source in order to accept trusted revocation data issuer certificates.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

RevocationDataVerifier

protected RevocationDataVerifier()

Default constructor

Method Details

createEmptyRevocationDataVerifier

public static RevocationDataVerifier createEmptyRevocationDataVerifier()

Creates an empty instance of RevocationDataVerifier. All constraints should be configured manually.

Returns:

RevocationDataVerifier

createDefaultRevocationDataVerifier

public static RevocationDataVerifier createDefaultRevocationDataVerifier()

This method is used to instantiate a new RevocationDataVerifier, using the default validation constraints (synchronized with default validation policy).

Returns:

RevocationDataVerifier

getTrustedCertificateSource

public CertificateSource getTrustedCertificateSource()

Gets trusted certificate source, when present

Returns:

CertificateSource

setTrustedCertificateSource

protected void setTrustedCertificateSource(CertificateSource trustedCertificateSource)

Sets a trusted certificate source in order to accept trusted revocation data issuer certificates. Note : This method is used internally during a eu.europa.esig.dss.validation.SignatureValidationContext initialization, in order to provide the same trusted source as the one used within a eu.europa.esig.dss.validation.CertificateVerifier.

Parameters:

trustedCertificateSource - CertificateSource

setAcceptableDigestAlgorithms

public void setAcceptableDigestAlgorithms(Collection<DigestAlgorithm> acceptableDigestAlgorithms)

Sets a collection of Digest Algorithms for acceptance. If a revocation token is signed with an algorithm other than listed in the collection, the token will be skipped. Default : collection of algorithms is synchronized with ETSI 119 312 V1.4.2

Parameters:

acceptableDigestAlgorithms - a collection if DigestAlgorithms

setAcceptableEncryptionAlgorithmKeyLength

public void setAcceptableEncryptionAlgorithmKeyLength(Map<EncryptionAlgorithm,Integer> acceptableEncryptionAlgorithmKeyLength)

Sets a map of acceptable Encryption Algorithms and their corresponding minimal key length values. If a revocation token is signed with an algorithm other than listed in the collection or with a smaller key size, than the token will be skipped. Default : collection of algorithms is synchronized with ETSI 119 312 V1.4.2

Parameters:

acceptableEncryptionAlgorithmKeyLength - a map of EncryptionAlgorithms and their corresponding minimal supported key lengths

setRevocationSkipCertificateExtensions

public void setRevocationSkipCertificateExtensions(Collection<String> revocationSkipCertificateExtensions)

Sets a collection of certificate extension OIDs indicating the revocation check shall be skipped for the given certificate Default : valassured-ST-certs (OID: "0.4.0.194121.2.1") and ocsp_noCheck (OID: "1.3.6.1.5.5.7.48.1.5") (extracted from validation policy)

Parameters:

revocationSkipCertificateExtensions - a collection of Strings certificate extension OIDs

setRevocationSkipCertificatePolicies

public void setRevocationSkipCertificatePolicies(Collection<String> revocationSkipCertificatePolicies)

Sets a collection of certificate policy OIDs indicating the revocation check shall be skipped for the given certificate Default : empty list (extracted from validation policy)

Parameters:

revocationSkipCertificatePolicies - a collection of Strings certificate policy OIDs

setSignatureMaximumRevocationFreshness

public void setSignatureMaximumRevocationFreshness(Long signatureMaximumRevocationFreshness)

Sets maximum accepted freshness for revocation data issued for signature's certificate chain certificates. NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the best-signature-time)

Parameters:

signatureMaximumRevocationFreshness - Long in milliseconds to evaluate revocation freshness,

setTimestampMaximumRevocationFreshness

public void setTimestampMaximumRevocationFreshness(Long timestampMaximumRevocationFreshness)

Sets maximum accepted freshness for revocation data issued for time-stamp's certificate chain certificates. NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the time-stamp's lowest POE) Note : algorithm always ensures that there is a revocation data issued after the usage time of the time-stamp's certificate

Parameters:

timestampMaximumRevocationFreshness - Long in milliseconds

setRevocationMaximumRevocationFreshness

public void setRevocationMaximumRevocationFreshness(Long revocationMaximumRevocationFreshness)

Sets maximum accepted freshness for revocation data issued for revocation data's certificate chain certificates (CRL or OCSP). NULL value is used to disable the check. Default : 0 (revocation data shall be issued after the best-signature-time) Note : the signature or timestamp constraint takes precedence in case of conflict

Parameters:

revocationMaximumRevocationFreshness - Long in milliseconds

setCheckRevocationFreshnessNextUpdate

public void setCheckRevocationFreshnessNextUpdate(boolean checkRevocationFreshnessNextUpdate)

Sets whether the difference between revocation's nextUpdate and thisUpdate fields shall be taken as a maximum acceptable revocation freshness in case no maximum revocation freshness constraint is defined for the given context Default : FALSE (no revocation freshness check is performed when maximum revocation freshness is not defined)

Parameters:

checkRevocationFreshnessNextUpdate - whether revocation freshness should be checked against nextUpdate field

isAcceptable

public boolean isAcceptable(RevocationToken<?> revocationToken)

This method verifies the validity of the given RevocationToken using the embedded issuer certificate token

Parameters:

revocationToken - RevocationToken

Returns:

TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

isAcceptable

public boolean isAcceptable(RevocationToken<?> revocationToken,
 CertificateToken issuerCertificateToken)

This method verifies the validity of the given RevocationToken

Parameters:

revocationToken - RevocationToken

issuerCertificateToken - CertificateToken issued the current revocation

Returns:

TRUE if the revocation data is acceptable to continue the validation process, FALSE otherwise

isRevocationDataSkip

public boolean isRevocationDataSkip(CertificateToken certificateToken)

Checks and returns whether the revocation check shall be skipped for the given certificate

Parameters:

certificateToken - CertificateToken to check

Returns:

TRUE if the revocation check shall be skipped, FALSE otherwise

isRevocationDataFresh

public boolean isRevocationDataFresh(RevocationToken<?> revocationToken,
 Date validationTime,
 Context context)

This method verifies if the revocationToken considered within context is fresh enough relatively to the given validationTime

Parameters:

revocationToken - RevocationToken to be validated

validationTime - Date the target time after which revocation token is expected to be refreshed

context - Context of the current revocation token's validation process

Returns:

TRUE if the revocation token is considered fresh enough, FALSE otherwise

isRevocationThisUpdateAfterValidationTime

protected boolean isRevocationThisUpdateAfterValidationTime(RevocationToken<?> revocationToken,
 Date validationTime,
 long maximumRevocationFreshness)

This method verifies whether the revocation's thisUpdate time is after the validationTime minus the acceptable maximumRevocationFreshness

Parameters:

revocationToken - RevocationToken to be validated

validationTime - Date

maximumRevocationFreshness - long

Returns:

TRUE if the revocation's thisUpdate is after the validation time minus the maximum acceptable revocation freshness, FALSE otherwise

isRevocationThisUpdateAfterValidationTimeNullConstraint

protected boolean isRevocationThisUpdateAfterValidationTimeNullConstraint(RevocationToken<?> revocationToken,
 Date validationTime)

This method verifies whether the revocation's thisUpdate time is after the validationTime minus the difference between nextUpdate and thisUpdate field values

Parameters:

revocationToken - RevocationToken to be validated

validationTime - Date

Returns:

TRUE if the revocation freshness check succeeds against revocation's nextUpdate, FALSE otherwise

isRevocationDataAfterLastCertificateUsage

public boolean isRevocationDataAfterLastCertificateUsage(RevocationToken<?> revocationToken,
 Date lastCertificateUsage)

This method verifies if the revocation data is after the last usage of the certificate. The method is used to ensure the new revocation data has been successfully issued after creation of the last time-stamp with the given certificate

Parameters:

revocationToken - RevocationToken to be validated

lastCertificateUsage - Date the last confirmed usage date of the corresponding certificate

Returns:

TRUE if the revocation data has been issued after the last certificate usage, FALSE otherwise